Facts Security Part 2: Layers of Security and the Value of Information

August 25 2023
~1130 words, ~5-6 min read.
Introduction
To secure something is to be in some way prepared to avoid and mitigate unwanted
outcomes.
Think of locking a bicycle in the shady part of town. I can put one lock on the
bike to be prepared in case there is a thief in the area. With further assessment,
I may put three different types of locks on the bike to further mitigate the risk,
by making it take longer to break through each lock as well as requiring multiple
different tools to break each lock. Even further, I could put a tracking device
on the bicycle in case my locks fail to secure it, adding more layers to the
protection. How much is too much though? As you can probably tell, you'd probably
want more information such as the value of the bicycle, the time of day, how long
you plan to lock your bike there, etc., in order to accurately estimate the
amount of security you need.
This analogy illustrates that the risks need to be assessed in order to effectively
secure something. We want to avoid using too much resources to secure something
with little value, and we want to avoid not using enough resources to secure our
valuable things.
A Password by Itself is Data
Passwords are generally thought of as Data that needs to be secured. They
usually provide access to something such as an account. One outcome that
we want to avoid is unauthorized access to our accounts. Knowing the account
name by itself typically isn't risky, for example many people know your email
address. Just knowing of 'a password' by itself typically isn't risky, for
example you can google search for a list of the most common passwords (please
change your password if it matches on a common password list..). The Fact that
we want to secure is "XYZ is the password to my account ABC." We don't want others
to discover this Fact, so we would take steps to avoid the possibility that someone
could discover this. An example of a step that you could take would be periodically
changing your passwords.
Just securing the password may not be enough. Something unforeseeable can happen
in the future, such as a Zero-Day exploit on the service your account is hosted on,
bypassing authentication. This is where the value of what you are trying to protect
becomes subjective. In some cases you want to take extra steps to secure your
valuable things. We're going to want to dig deeper into WHY we don't want our
accounts to be accessed before we can figure out solutions to prevent or mitigate
any unwanted outcomes.
Multiple Layers of Security
Here are some more real world analogies that can provide insight into layers of
security. Passwords, keys, and locks are nice, but think about the entirety of
the effort used to secure our things.
You can use a small combination lock for your locker, but what are you comfortable
with storing behind a lock that can be bypassed with one swing of a hammer? If
someone breaks in when no one is around, they have a high chance of succeeding in
theft.
A lock could be part of a door, such that the door itself needs to be bypassed
after breaking the lock. That intruder now needs to make sure no one is in the
building, no suspicious neighbors are around, etc. There are more factors than
just the lock that aid in security.
A lock can be part of a vault. Now the intruder has to bypass walls, guards,
cameras, and travel deep enough into the building to reach that vault before
even attempting to break the lock. Then they need to escape! In this case, even
if one possesses the password or key, more layers of security need to be bypassed.
It's generally easier to gauge the value of the physical things that you're
securing, which helps in figuring out how much effort and investment you would
use to secure it. There already exists a structure that applies monetary value
to objects. There may also be different contexts like sentimental value, and
different perspectives on the value of money such as a rich versus a poor point
of view. In general though, you would probably want to store your life savings
in a bank, not your gym's dressing room locker.
It's also generally easier to visualize the security of a vault versus the
security of the password for your accounts. That single password to your account,
no matter how complex and long it is.. don't mistake it for a fortress.
Personally Identifiable Information
Figuring out the value of Data and Information is not as intuitive as physical
things. One piece of Data doesn't seem like much to lose or expose. Even something
often mentioned about as important to an individual, Personally Identifiable
Information (PII), is treated with different priorities for security depending
on the context. PII refers to information that could be used to identify an
individual.
Wise words used to be "don't tell anyone on the internet your full name, address,
etc." Look at the Information on your resume: name, phone number, email address,
possibly other things like address, a schedule of your locations, your education,
work experience, your mom's maiden name, and so on. Can you label what is your
PII and what isn't? That Information is uploaded to Linkedin, or sent to a random
job ad that might not even be real, or perhaps printed and handed out like flyers.
Who are all the people that now have access to some of your PII? Why were we supposed
to care about our PII in the first place?
So now you have this Information about you on a poster in public. Someone could
search for and find you, look through your trash, figure out your diet, medication,
bills, habits, schedule, and so on. On the other hand, there is a data breach at
the hospital you go to that exposes all client's medical records and other PII.
The former, you're not even thinking twice about, but in the latter situation the
media tells you to be outraged? What's different?
I realize you can break down the examples of public resume versus a hospital data
breach and come up with arguments as to why the data breach may be a bigger risk
to you than exposing your resume. My point is that the average person is not
knowledgeable or aware of the potential value of their Data and Information, which
could result in the lack of security applied to what matters. In other words,
people may have gaps in their knowledge of the Facts they need to secure.